Excerpted from a HIPAA Journal Blog by Steve Alder
Whether or not a HIPAA violation will show up on a background check depends on the nature of the violation, the consequences of the violation, and the motive for the violation. While it is currently rare for a HIPAA violation to show up on a background check, this may change due to a proposed update to the Privacy Rule.
There are many different types of HIPAA violations. Some have minimal impact and no long-lasting consequences – i.e., an accidental disclosure of PHI that is overheard, but nothing comes of it – whereas others can have a major impact on an organization and serious consequences for individuals affected by the violation – i.e., the deliberate misuse of login credential that exposes a PHI database.
Most employee HIPAA violations are addressed according to a Covered Entity’s sanctions policy. Employees responsible for minor violations will likely be sanctioned with verbal or written warnings and additional HIPAA training. Those responsible for repeated or serious violations could be sanctioned with a suspension or termination of employment, or loss of license to practice.
A suspension, termination, or loss of license would be recorded in an employment record, but would not show up on a background check unless the motive for the HIPAA violation was the knowing and wrongful disclosure of individually identifiable health information without authorization – which is not only a violation of HIPAA, but also a violation of §1177 of the Social Security Act.
When a HIPAA Violation Will Show Up on a Background Check
When a HIPAA violation is also a violation of the Social Security Act, an employer is required to report the violation to a law enforcement agency as well as HHS’ Office for Civil Rights. The case will be referred to the Department of Justice, who will pursue a criminal conviction for the violation. If successful, the penalties for criminally violating HIPAA are:
- For wrongfully and knowingly violating §1177 of the Social Security Act – a fine of up to $50,000 and/or a prison sentence of up to one year.
- If the offence is committed under false pretenses (i.e., with someone else’s login credentials) – a fine of up to $100,000 and/or a prison sentence of up to five years.
- If the offence is committed for personal gain, malicious harm, or a commercial advantage – a fine of up to $250,000 and/or a prison sentence of up to ten years.
Regardless of the sentence imposed, the HIPAA violation, the consequences of the HIPAA violation, and the penalty for the HIPAA violation will become public record and will show up on a background check.
The Proposed Update to the Privacy Rule
In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking in the Federal Register. The Notice is in response to the Supreme Court’s decision in Dobbs v. Jackson Women`s Health Organization, which led to many states introducing anti-abortion legislation and women having to cross state lines to have terminations in states where abortions are still legal.
States with anti-abortion legislation cannot prevent women crossing state lines to have a termination, but some have introduced further legislation criminalizing the act of assisting with or facilitating a termination procedure. Because this could lead to the disclosure of PHI to pursue a criminal conviction relating to a medical procedure that was legal in the state it was administered, HHS` Office for Civil Rights is proposing an update to the Privacy Rule.
For the full story, please click here.